Marc Weber wrote:
So what are people looking for? For a CSS parser built into the urweb compiler which recognizes valid links and checks them against a valid list of links which may be used for CSS ? Then injection attacks would be impossible because putting arbitrary CSS code from a database into style attributes would be rejected because it can't be parsed at runtime?
URL's are an abstract datatype in Ur/Web, with a clearly defined policy for which URL's are allowed. I don't want to allow style code to include URL's that the policy rejects.
The canonical example to avoid is "javascript:" URL's, which clearly allow code injection, though I don't know to what extent browsers will actually run JavaScript code introduced through CSS. My concerns are primarily about code injection, not "information leakage."
Oh last but not least: URLs in stiles (with hex something decoding) is used to speed up loading of pages as well because no additional small icons have to be fetched adding yet another round trip..
Then those URL's should be whitelisted in a .urp file. _______________________________________________ Ur mailing list [email protected] http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
